Law Enforcement Blowback, Cyber Insurance Renewals Powering Anti-Ransomware Success

Law Enforcement Blowback, Cyber Insurance Renewals Powering Anti-Ransomware Success

News analysis: SecurityWeek Editor-at-Large Ryan Naraine examines several factors driving success in the fight against data extortion attacks.

Nine months after the Colonial Pipeline hack set off a desperate ‘all-hands-on-deck’ response to the ransomware crisis, there’s a general sense that we’ve seen the worst of the data extortion attacks that exploded in 2021 to include the largest publicly disclosed cyber attack against critical infrastructure in the United States.

According to fresh data from ransomware recovery firm Coveware, there’s been a noticeable dip in major data extortion attacks in the latter half of 2021 and the company’s co-founder and CEO Bill Siegel is crediting a perfect storm of factors for the positive developments.

In an interview with SecurityWeek ahead of a session at this year’s Ransomware Resilience and Recovery Summit, Siegel said law enforcement pressure, cyber insurance renewals requirements, CEO-level anxieties, and the mandatory federal push towards zero-trust have combined perfectly to scare ransomware affiliates away from high-profile infections.

“Volume [of ransomware hacks] is definitely down and it does feel like things have settled down.  The Colonial Pipeline incident made it a geo-political issue and that was a turning point,” Siegel said, crediting publicly reported law enforcement hack-back operations for increasing the risk profile of the ransomware affiliate structure.

[ READ: Five Key Signals From Russia’s REvil Ransomware Bust ]

Over the last few months, there have been a series of major takedowns, raids and the unprecedented REvil gang arrests in Russia that Siegel believes has increased the cost and risk of executing ransomware attacks. In addition, the U.S. government has slapped sanctions against crypto-exchanges and VPN providers.

“I think we’re past the top of the highest watermark of heavy volume and intensity of attacks,” Siegel said. “[The law enforcement ops] are imposing costs and making the attacks more expensive. The addressable market will shrink as [attackers] refine their tactics to find quieter targets.

In addition to raids and takedowns, Siegel said the White House executive order on cybersecurity is forcing the implementation of key technologies and best practices to ensure government and corporate networks are more resilient to malicious hackers attacks.

“The executive orders around zero trust and multi-factor authentication are helping to get the right controls in place to limit ransomware damage,” Siegel said, noting that early work to implement multi-factor authentication and encryption for data at rest and in transit are trickling down to help harden even the vendors that support U.S. federal agencies.

[ READ: DarkSide Shutdown: An Exit Scam or Running for the Hills ]

Cybersecurity leaders in the private sector agree that the government’s push to beef up investments in zero trust architecture and MFA has influenced positive network design decisions, especially at small- and medium-sized businesses that will continue to deal with the brunt of ransomware attacks.

In multiple conversations about ransomware resilience with multiple Chief Information Security Officers (CISOs), the topic swiftly turns to “zero-trust and MFA” as the foundational pieces needed to limit exposure to hacker attacks.  As the CISO for a fast-growing financial services startup explained, “we didn’t need the EO to tell us about the value of MFA but we certainly used the EO to get funding to go do it.”

“We’re benefiting from a top-down push for all the right things. It’s easier for me to use ‘zero-trust’ or ‘two-factor’ in a budget meeting and those conversations are very clear with my leadership,” he added. 

This, Coverware’s Siegel confirms, is another major factor at play as corporate CEOs look to avoid being dragged before lawmakers to explain security crises.  “Ransomware is now a topic on CNBC and CEOs are paying close attention.”

He specifically mentioned the Colonial Pipeline incident as a watershed moment for chief executives who are now pushing for better security and better incident preparedness. “It’s easier for a CISO to get funding for the right things and the EO has helped with that.”

[ READ: NSA’s Rob Joyce Explains ‘Sand and Friction’ Security Strategy ]

The results are already noticeable.  “At a high level, the outcomes of our cases are getting better,” Siegel said, noting that ransom payments are only paid by companies with immature disaster recovery processes.

“The percentage of victims that end up having to pay, that’s going down.  It tells me companies have gotten much better at disaster recovery and incident response.  Companies are planning and doing backups better. That’s a fact.”

Security leaders also point to another key factor — cyber-insurance renewals that are mandating stricter security controls to maintain insurance policies.

Even as the cyber-insurance sector struggles to figure out the economics (premiums have effectively quadrupled year-over-year), Siegel has noticed a pattern when renewal requirements are forcing better security controls in organizations.

[ READ: The Wild West of the Nascent Cyber Insurance Industry ]

“They’re imposing better standards for sure.  If you want a cyber insurance policy, you have to attest to MFA segmentation, adequate back-ups, testing, and running tabletops exercises. These are all crucial controls for a mature disaster recovery program,” he said.

“For a B2B company, customer contracts require them to carry cyber insurance so it’s win-win.  They must have better, basic controls in place to get policies renewed.”

Still, even amidst the rare good news, Siegel is warning that the shakeout will force the active criminal ransomware gangs to focus on hitting smaller companies with less than 10,000 employees.

He said criminal gangs will selectively focus on mid-market companies large enough to attempt a large ransom demand, but small enough to avoid law enforcement blowback.

Related: DarkSide Shutdown: An Exit Scam or Running for The Hills

Related: REvil Ransomware Gang Hit by Law Enforcement Hack-Back

Related: Colonial Pipeline CEO Explains $4.4M Ransomware Payment

Related: Black Hat 2021: New CISA Boss Unveils Anti-Ransomware Collab

Related: Five Key Signals From Russia’s REvil Ransomware Bust

Related: US Treasury Sanctions Crypto Exchange in Anti-Ransomware Crackdown 

view counter

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a journalist and cybersecurity strategist with more than 20 years experience covering IT security and technology trends.
Ryan has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan’s career as a journalist includes bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive’s ZDNet, PCMag and PC World.
Ryan is a director of the Security Tinkerers non-profit, and a regular speaker at security conferences around the world.
Follow Ryan on Twitter @ryanaraine.

Previous Columns by Ryan Naraine: